Skillv1.0.3

ClawScan security

Bark Push · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 3:35 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Files and instructions match the stated purpose (sending Bark push notifications); requested access is limited to a Bark device key and network calls to api.day.app.
Guidance: This skill appears to do exactly what it says: send notifications to Bark (api.day.app) using a device key. Before installing, confirm whether your OpenClaw registry actually supplies BARK_KEY or BARK_DEVICE_KEY (SKILL.md expects them but registry metadata listed none). Inspect the included scripts (bark-send.sh / bark-send.js) — they only send the provided title/body and optional fields to api.day.app, so ensure you are comfortable exposing notification content to that external service. If you plan to run npm install in the skill folder, be aware package.json declares axios (unused by the script); you can avoid running npm install if you only intend to use the provided shell or node scripts as-is. Finally, only store the Bark device key in an environment variable if you trust the runtime environment, since that key grants the ability to send pushes to your device.

Review Dimensions

Purpose & Capability: okThe skill's name/description (Bark push notifications) aligns with its code and instructions: both scripts send HTTP(S) requests to api.day.app using a Bark device key. There are no unrelated credentials, binaries, or surprising subsystems referenced.
Instruction Scope: noteSKILL.md and the included scripts only describe and perform actions needed to send notifications (reading BARK_KEY or BARK_DEVICE_KEY, constructing payloads, and POSTing to api.day.app). The instructions reference the OpenClaw workspace path (~/.openclaw/workspace/skills/...), and suggest adding env vars to ~/.zshrc — reasonable for a CLI helper. Note: the registry metadata earlier showed no required env vars, but SKILL.md lists BARK_KEY and BARK_DEVICE_KEY; this mismatch is minor but worth noticing.
Install Mechanism: okThere is no install spec and the skill is instruction-only with small helper scripts included. No external downloads or archive extraction are performed. The only packaged dependency is in package.json (axios), but the Node script uses built-in https; there is no automatic installation step that would fetch remote code.
Credentials: noteThe only sensitive data used is the Bark device key (BARK_KEY / BARK_DEVICE_KEY), which is appropriate and proportionate for sending pushes. As noted above, the registry metadata lists no required env vars while SKILL.md documents BARK_KEY and BARK_DEVICE_KEY — confirm which env var(s) your agent will actually provide before installing.
Persistence & Privilege: okThe skill does not request always:true, does not persist configuration outside the workspace, and is user-invocable. It does perform outbound network calls (expected for a notification sender) but does not request elevated privileges or modify other skills.